A software we use daily was no longer as harmless as we thought: the Notepad + + update was manipulated to redirect downloads to malicious servers. The team behind the popular text editor announced that the problem was not caused by a failure in the application code, but by an infrastructure-level intrusion into the housing provider, which allowed the attackers to intercept and divert the update traffic.
According to the official statement of the project, the company hosting notepad-plus-plus.org suffered a violation that allowed certain requests from the WinGup update to be sent to destinations controlled by the attackers. The risk was not limited to a fall or manipulation of the web: the mechanics was more dangerous because some users, when checking updates, downloaded altered executables that could contain malicious code.
This type of incident illustrates that the weak points in the supply chain are not always on the program we have installed, but on the links that serve the world: DNS servers, hosting platforms and internal credentials. In the case of Notepad + +, the holder Don Ho explained that the intrusion affected the supplier's resources until September 2025, and that the attackers retained credentials that allowed them to continue redirecting traffic until December 2025. The official explanation is available in the public note of the project. Here..
External researchers, including security analyst Kevin Beaumont, contextualized the episode and suggested that the vector was used by actors linked to certain states to conduct targeted attacks. Beaumont and other experts noted that the manipulation was selective: not all the update traffic was affected, but only specific users were redirected and received the malicious charges. The profile of the campaign and the techniques used led to the thinking of state-sponsored operations. More details and technical comments were published by Beaumont on his Twitter account Here..
To understand why a simple update can become a back door, just look at how it verified the integrity of the updates. If the verification of signatures or verification amounts is done inadequately or blindly in the source without a second validation layer, an intermediary with infrastructure control can replace a legitimate binary by another by manipulating the discharge route. In Notepad + + the WinGup component had a validation process that, in certain traffic interception circumstances, allowed the file to be replaced by a malicious one; therefore the project response included a review and the publication of a corrected version.
The timing of the incident is of particular concern: according to the internal investigation, malicious activity could have started in June 2025 and continued for months before it was made public. This time span gives the attackers sufficient opportunities to compromise internal infrastructure, collect credentials and maintain back doors that survive the moment that control of the original server is recovered.
From the user's point of view, the lesson is clear and at the same time uncomfortable: to trust that a program is automatically updated from its own mechanism is not an absolute guarantee of security. In corporate environments this is critical, because a utility tool, installed on hundreds or thousands of equipment, can become a vector to move laterally within a network if you are injected with malicious code. This is why many organizations have strengthened their supply chain policies, monitor outgoing connections and audit the digital signatures of the installers that they distribute to their equipment park.
Notepad + + has already moved its site to a new hosting provider and published updates to mitigate the failure in the update. Even so, such incidents often leave open questions about containment, the revocation of committed credentials and the verification that no malicious latent code was left in the project's internal services during the commitment period.
What can an ordinary user do? First of all, make sure to download the program and updates from the official website and corroborate the signatures or check sums when the developer provides them. If you work on a corporate network, inform the security team and check if there were connections to unusual domains during the specified period. At the practical level, review records, check integrities and, where possible, prefer updates using verifiable cryptographic signatures adds an important layer of defense.
Beyond individual actions, the community and technology companies have to make progress in standard practices that reduce the exposure of critical infrastructure. This involves from stricter policies in host providers to the widespread adoption of firmness mechanisms such as verified digital signatures and transparency in binary delivery. There are resources and guides that explain these concepts and help understand why security in updates is a pillar of digital hygiene; organizations such as OWASP study and disseminate useful principles to mitigate risks in the supply chain: OWASP.
Cases like this rekindle the debate about who is responsible when a widely used tool is compromised: the development team, the infrastructure provider, the users or a combination of them all. The fact is that the response requires transparency, audits and agile coordination to reverse committed access and restore confidence.
If you want to follow the official timing of the incident and the project recommendations, see the note published by Notepad + + on your website: notepad-plus-plus.org - incident report. For technical comments and context on the attribution and directed nature of the attack, you can review the observations of independent researchers on Twitter and in their publications, for example Kevin Beaumont's account @ GossiTheDog.
The moral is that software security no longer ends in the source code we see: it covers the routes through which that code travels until it reaches our teams. Keeping informed, demanding transparency from developers and applying additional verification practices are, today more than ever, essential measures.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...